On Wed, May 04, 2016 at 12:27:36AM +0200, Florian Westphal wrote:

Pablo Neira Ayuso [off-list ref] wrote:

quoted

quoted

-	if (NF_CT_DIRECTION(hash))
-		goto release;
-	if (nf_ct_l3num(ct) != AF_INET)
+	/* check if we raced w. object reuse */
+	if (!nf_ct_is_confirmed(ct) ||

This refactoring includes this new check, is this intentional?

Hmm, yes and no.

I should have put it in an extra commit :-/

Without this, we might erronously print a conntrack that is NEW
and which isn't confirmed yet.

We won't crash since seq_print doesn't depend on extensions being
set up properly, but it seems better to only display those conntracks
that are part of the conntrack hash table (i.e., have the confirmed bit
set).

I see, a conntrack that shouldn't be printed be sneak in the listing.

Let me know if you want me to respin this as a separate fix, thanks!

I will just append a notice on the commit message before applying.