| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 11 May 2020 10:24:44 +0300
From: Paul Blakey <paulb@...lanox.com>
To: Pablo Neira Ayuso <pablo@...filter.org>
Cc: Oz Shlomo <ozsh@...lanox.com>, Roi Dayan <roid@...lanox.com>,
netdev@...r.kernel.org, Saeed Mahameed <saeedm@...lanox.com>,
netfilter-devel@...r.kernel.org
Subject: Re: [PATCH net] netfilter: flowtable: Fix expired flow not being
deleted from software
On 5/11/2020 1:26 AM, Pablo Neira Ayuso wrote:
> On Wed, May 06, 2020 at 02:27:29PM +0300, Paul Blakey wrote:
>> Once a flow is considered expired, it is marked as DYING, and
>> scheduled a delete from hardware. The flow will be deleted from
>> software, in the next gc_step after hardware deletes the flow
>> (and flow is marked DEAD). Till that happens, the flow's timeout
>> might be updated from a previous scheduled stats, or software packets
>> (refresh). This will cause the gc_step to no longer consider the flow
>> expired, and it will not be deleted from software.
>>
>> Fix that by looking at the DYING flag as in deciding
>> a flow should be deleted from software.
> Would this work for you?
>
> The idea is to skip the refresh if this has already expired.
>
> Thanks.
The idea is ok, but timeout check + update isn't atomic (need atomic_inc_unlesss
or something like that), and there is also
the hardware stats which if comes too late (after gc finds it expired) might
bring a flow back to life.
Powered by blists - more mailing lists