(iptables) ip_conntrack bug?
Thu, 16 Nov 2000 02:00:00 +0200 (IST)
> > > I have also seen this happen on a box which ran test9. Apparently because of
> > > it's long uptime, because the logs should no signs of an attack.
> > >
> > > I guess conntrack forgets to flush some entries? Or maybe there is no way it can
> > > recover from a full conntrack table? Is it maybe necessary to make the maximum
> > > size a configurable option? Or a userspace conntrack daemon like the arpd?
> > From reading the sources I got the impression that the use count of
> > the ip_conntrack struct isn't decremented properly. This causes
> > destroy_conntrack() not to free ip_conntrack's - which results allocation
> > until the maximum (ip_conntrack_max), and failing to allocate new ones.
> I think I got something, icmp_error_track() increases the use count
> (calling ip_conntrack_find_get()) when it returns with no error (not NULL).
> Whoever calls icmp_error_track() and gets a valid pointer to ip_conntrack,
> must call ip_conntrack_put() - look at ip_conntrack_in(), line 685, the
> pointer is just used in a boolean expression without calling
> ip_conntrack_put(). I'm not sure if other places needed fixing, but anyway
> try this patch:
I'm not sure this works, since the use count also counts for skb's,
icmp_error_track(), makes the skb refer to this conntrack in case of
success, intentually not calling ip_conntrack_put().
So now I'm clueless, although I'm almost certain it's a use count
problem. I'd be happy to hear from Rusty or someone on the netfilter
mailing list about this.