netdev
[Top] [All Lists]

Re: [PATCH] fix netfilter refcounting [was Re: Conntrack leak (2.6.2rc2)

To: Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx>
Subject: Re: [PATCH] fix netfilter refcounting [was Re: Conntrack leak (2.6.2rc2)]
From: "David S. Miller" <davem@xxxxxxxxxx>
Date: Tue, 3 Feb 2004 09:48:08 -0800
Cc: steve@xxxxxxxxxxxx, netdev@xxxxxxxxxxx, netfilter-devel@xxxxxxxxxxxxxxxxxxx
In-reply-to: <Pine.LNX.4.33.0402031825170.11950-100000@blackhole.kfki.hu>
References: <Pine.LNX.4.33.0402031629150.11737-100000@blackhole.kfki.hu> <Pine.LNX.4.33.0402031825170.11950-100000@blackhole.kfki.hu>
Sender: netdev-bounce@xxxxxxxxxxx
On Tue, 3 Feb 2004 18:43:38 +0100 (CET)
Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx> wrote:

> Steve Hill reported a conntrack leakage in 2.6.2-rc2 when nat is enabled
> and the system forwards fragmented packets. It turned out that an
> nf_conntrack_put was missing from ip_copy_metadata:

Yeah, but... look at what you patched.

>       /* Connection association is same as pre-frag packet */
> +     nf_conntrack_put(to->nfct);
>       to->nfct = from->nfct;
>       nf_conntrack_get(to->nfct);

What about that comment?

<Prev in Thread] Current Thread [Next in Thread>