search for: ctrack

..._general.use); + set_bit(IPS_CONFIRMED_BIT, &ct->status); WRITE_UNLOCK(&ip_conntrack_lock); return NF_ACCEPT; } @@ -585,7 +583,7 @@ connection. Too bad: we're in trouble anyway. */ static inline int unreplied(const struct ip_conntrack_tuple_hash *i) { - return !(i->ctrack->status & IPS_ASSURED); + return !(test_bit(IPS_ASSURED_BIT, &i->ctrack->status)); } =20 static int early_drop(struct list_head *chain) @@ -720,7 +718,7 @@ conntrack, expected); /* Welcome, Mr. Bond. We've been expecting you... */ IP_NF_ASSERT(master_ct(conntrack))...

...-777,6 +777,14 @@ /* look for tuple match */ h = ip_conntrack_find_get(&tuple, NULL); if (!h) { + READ_LOCK(&ip_conntrack_lock); + h = LIST_FIND(&unconfirmed, conntrack_tuple_cmp, + struct ip_conntrack_tuple_hash *, &tuple, NULL); + if (h) + atomic_inc(&h->ctrack->ct_general.use); + READ_UNLOCK(&ip_conntrack_lock); + } + if (!h) { h = init_conntrack(&tuple, proto, skb); if (!h) return NULL; This patch reliably ends the race, and we no longer have mysteriously disappearing packets. Not being netfilter experts, we're not certain th...