bugzilla-daemon@bugzilla.netfilter.org
2006-Mar-12 15:09 UTC
[Bug 404] Packets stuck in netfilter_queue after heavy loading
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=404
kaber@trash.net changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution| |FIXED
------- Additional Comments From kaber@trash.net 2006-03-12 15:09 MET -------
Turns out the problem is already fixed in current kernels. min_len in
nfnetlink_check_attributes was calculated incorrectly, which resulted in attrlen
beeing larger than the attribute really was. When the entire packet was parsed
we still had attrlen > 0, and if the memory contents behind the packet data
by
accident looked like a valid attribute, it was also parsed, but usually
didn't
contain valid attribute numbers, so the packet was dropped.
--
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2006-Mar-12 15:09 UTC
[Bug 404] Packets stuck in netfilter_queue after heavy loading
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=404
kaber@trash.net changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution| |FIXED
------- Additional Comments From kaber@trash.net 2006-03-12 15:09 MET -------
Turns out the problem is already fixed in current kernels. min_len in
nfnetlink_check_attributes was calculated incorrectly, which resulted in attrlen
beeing larger than the attribute really was. When the entire packet was parsed
we still had attrlen > 0, and if the memory contents behind the packet data
by
accident looked like a valid attribute, it was also parsed, but usually
didn't
contain valid attribute numbers, so the packet was dropped.
--
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You reported the bug, or are watching the reporter.
Reasonably Related Threads
- [Bug 404] Packets stuck in netfilter_queue after heavy loading
- [Bug 408] iptables-set mark match doesn't work on packets marked by libnetfilter_queue
- [Bug 472] REDIRECT target translates all packets' destination to main IP of interface
- [Bug 508] ip6tables conntrack marks all incoming packets as INVALID
- [Bug 531] ip_tables.h: IPT_TABLE_MAXNAMELEN bogously #defined to XT_FUNCTION_MAXNAMELEN