At 2017-05-09 17:21:02, "Florian Westphal" <f...@strlen.de> wrote:
>gfree.w...@vip.163.com <gfree.w...@vip.163.com> wrote:
>> When one netfilter rule or hook stoles the skb and return NF_STOLEN,
>> it means the skb is taken by the rule, and other modules should not
>> touch this skb ever. Maybe the skb is queued or freed directly by the
>> rule.
>> 
>> Now uses the nf_hook instead of NF_HOOK to get the result of netfilter,
>> and check the return value of nf_hook. Only when its value equals 1, it
>> means the skb could go ahead. Or reset the skb as NULL.
>> 
>> BTW, because vrf_rcv_finish is empty function, so needn't invoke it
>> even though nf_hook returns 1.
>
>Thats a bug then.
>
>The okfn (if called) takes ownership of skb and must free it eventually.
>Otherwise userspace queueing leaks skb on reinjection.
>
>(see nf_reinject() and its use of okfn()).

Thanks, I only thought about the stolen case like synproxy which would free the 
skb directly,
and forget the userspace could reinject the skb.

I would update the patch.

Best Regards
Feng

Reply via email to