On Mon, Jun 12, 2017 at 11:16 PM, Florian Westphal [off-list ref] wrote:

Cong Wang [off-list ref] wrote:

quoted

On Thu, Jun 1, 2017 at 1:52 AM, Florian Westphal [off-list ref] wrote:

quoted

Joe described it nicely, problem is that after unload we may have
conntracks that still have a nf_conn_help extension attached that
has a pointer to a structure that resided in the (unloaded) module.

Why not hold a refcnt for its module?

That would work as well.

I'm not sure its nice to disallow rmmod of helper modules if they are
used by a connection however.

I am _not_ suggesting to disallow rmmod.

Right now you can "rmmod nf_conntrack_foo" at any time and this should
work just fine without first having to flush affected conntracks
manually.

My point is that since netns wq could invoke code of that module,
why it doesn't hold a refcnt of that module?

I am not familiar with netfilter code base so not sure if that is
hard to do or not, but it looks more elegant than this barrier.