Displaying 1 result from an estimated 1 matches for "ip_confirm".
Did you mean:
ip_confim
2006 Jul 25
0
[Bug 495] New: Netfilter Connection Tracking Race Condition in Kernel 2.4.x
...he others are silently
dropped.
Analysis
We instrumented the kernel to find out where the drop was occurring.
The code doing the dropping was ip_refrag() in
net/ipv4/netfilter/ip_conntrack_standalone.c, specifically:
/* We've seen it coming out the other side: confirm */
if (ip_confirm(hooknum, pskb, in, out, okfn) != NF_ACCEPT)
return NF_DROP;
The dropping is caused by a race between the first packet of a given
tuple making it to confirmed state, and the arrival of another packet
with the same tuple. If a second packet arrives before the first is
confirmed, it...